US federal agencies ordered to patch hundreds of actively exploited vulnerabilities
CISA directive establishes tight patching deadlines
US Federal agencies have been ordered to establish a system for rapidly patching hundreds of known, exploited vulnerabilities.
A directive from the Cybersecurity and Infrastructure Security Agency (CISA) requires US federal department and agencies to review and update vulnerability management procedures within 60 days.
They will each be required to “establish a process for ongoing remediation of vulnerabilities that CISA identifies”, focusing on a catalogue of security flaws known to be under active attack.
Rapid remediation effort
In cases where a patch was released last year or earlier and a related vulnerability is being exploited in the wild, agencies have a six-month deadline to complete patching.
“All other vulnerabilities” (ie flaws with a CVE issued this year) need to be boxed off within two weeks in what’s set to become an ongoing rapid remediation effort. “These default timelines may be adjusted in the case of grave risk to the Federal Enterprise,” the CISA’s directive states.
A catalogue of known exploited vulnerabilities maintained by the CISA already runs to 300 items or so, including a few dozen discovered this year and several older exploited vulnerabilities dating back as far as 2016.
Tackling this to-do list seems sure to involve a great deal of work in security triage, patching, and remediation at multiple US federal agencies in the run-up to Christmas. The directive also introduces tighter internal tracking and external reporting requirements, a recipe for plenty of overtime for federal sysadmins and their managers in the new year.
The directive applies to all software and hardware found on federal information systems whether managed internal or hosted by third parties, an important consideration when government agencies, much like mainstream businesses, rely heavily on the cloud, outsourcing, and managed services.
Where SolarWinds blow
The program is aimed at improving the security posture of US federal agencies in the wake of the infamous SolarWinds supply chain attack.
Attackers suspected of working for Russian intelligence compromised the update mechanism of Orion, SolarWinds’ enterprise network management software, and using this to plant malware on a subset of customers, with US federal agencies among those targeted.
It’s not the first time US federal systems have been successfully attacked. The US Office of Personnel Management data breach infamously exposed the records of 20 million government employees including Social Security numbers and much more back in 2015.
Bug Bounty foundations
News of the Biden order marks the latest step in the US government’s ongoing strategy of improving its security posture.
Recent years have witnessed the launch of the ‘Hack the Pentagon’ and ‘Hack the Army’ series of bug bounty events.
In a further attempt at protecting its immense attack surface, in June the US government launched its first federal civilian security vulnerability disclosure program (VDP) in partnership with Bugcrowd.